Please help us continue to provide you with free, quality journalism by turning off your ad blocker on our site.

Thank you for signing in.

If this is your first time registering, please check your inbox for more information about the benefits of your Forbes account and what you can do next!

I agree to receive occasional updates and announcements about Forbes products and services. You may opt out at any time.

I'd like to receive the Forbes Daily Dozen newsletter to get the top 12 headlines every morning.

Forbes takes privacy seriously and is committed to transparency. We will never share your email address with third parties without your permission. By signing in, you are indicating that you accept our Terms of Service and Privacy Statement.

Has the NSA just been hacked? Security experts speaking with FORBES think it's possible, after a group published malware and attack code allegedly belonging to the Equation Group, a crew linked to the US intelligence agency. But while many believe the leak looks legitimate, the hackers could have pulled off a very clever ruse.

Two days ago, on August 13, a group calling themselves The Shadow Brokers released files on Github, claiming they came from the Equation Group. The files included code allegedly designed to exploit firewalls from American manufacturers Cisco, Juniper and
Fortinet. One Chinese company, Topsec, was also an Equation target, according to the leaks. None of the manufacturers had responded to requests for comment at the time of publication.

The hackers released 60 per cent of the files they claimed to have taken from the Equation Group. The Shadow Brokers said they would release the remaining data to the highest bidder in a Bitcoin auction (they've received two bids so far). If they received an extraordinary 1,000,000 Bitcoins, worth roughly $560 million, they would release all the files.

"We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons," the hacker collective wrote (grammar errors theirs). "We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

"If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin."

Sources who've been delving into the leak believe it to be legitimate, or a very well-researched hoax, and labelled the Bitcoin auction a distraction, an attempt to gain media attention (the first tweets from the Shadow Brokers were sent to various publications). The former, according to current thinking, is the most likely, however.

"The code in the dump seems legitimate, especially the Cisco exploits ... and those exploits were not public before," said Matt Suiche, founder of UAE based cybersecurity start-up Comae Technologies. "The content seems legit."

Suiche noted, however, that attribution to the Equation Group could be faked. And one malware analyst who asked to remain anonymous said the hackers could have looked through all documents leaked by Edward Snowden, taken previously-unused information and created an elaborate ruse. But the source was close to convinced the files were real having analysed them.

Claudio Guarnieri, a malware researcher who has worked on some of the Snowden files, said the leaks seemed credible. He hypothesized the group may have hacked a "listening post" (LP), a part of surveillance infrastructure through which malware sends back information and is sent commands.

A review of the files revealed what appear to be vulnerabilities and exploits for some widely-used firewalls -- network security technologies that aim to block digital snoops from entering. Suiche posted a handy rundown of the products affected. He said at the very least the exploits for the Cisco products included "real code" designed specifically to take control of the firewalls. "It's not automatically generated or something like that."

Alongside those alleged exploits were implants -- malware that is covertly dropped on the network once the firewall and other security mechanisms have been bypassed. There were also some scripts and basic instructions for the malware's usage.

Most of the exploits dated from 2013, making it an old leak, FORBES understands. As Guarnieri told me in his summation of the leak: "I think it's credible, it seems legit, but old and very delimited." The harm to any NSA operation will, therefore, be limited.

The NSA had not responded to a request for comment at the time of publication. Neither had the Shadow Brokers.

Whatever the alleged hack's origins, the NSA does have something to worry about: Someone is out to embarrass the agency and might have the tools to do just that at a particularly heated time in US politics. The agency should, of course, have a response plan. Snowden managed what the Shadow Brokers are shooting for on a far greater scale.

I'm associate editor for Forbes, covering security, surveillance and privacy. I’ve been breaking news and writing features on these topics for major publications since

…

I'm associate editor for Forbes, covering security, surveillance and privacy. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist of the year in 2012 and 2013 for a range of exclusive articles, and in 2014 was handed Best News Story for a feature on US government harassment of security professionals. I like to hear from hackers who are breaking things for either fun or profit and researchers who've uncovered nasty things on the web. Tip me on Signal at 447837496820. I use WhatsApp and Treema too. Or you can email me at TBrewster@forbes.com, or tbthomasbrewster@gmail.com.